The UK's financial regulators are to be given powers to test the resilience of big cloud providers like IBM, Google, Microsoft and Amazon and perform on-site inspections.
The world's regulatory bodies have beome increasingly concerned about the reliance of banks on a small number of Big Tech cloud providers.
The Bank of England’s Financial Policy Committee in 2021 criticised the opaque nature of cloud contracts and concluded “the increasing reliance on a small number of cloud service providers and other critical third parties could increase financial stability risks without greater direct regulatory oversight of the resilience of the services they provide."
According to HM Treasury, over 65% of UK firms used the same four cloud providers in 2020, raising concerns about widespread disruption to critical financial services in the event of a power outage.
The new 'critical third party regime', will give Britain's financial watchdogs the power to extend their oversight of individual firm risk arrangements with cloud providers to " manage potential systemic risks stemming from concentration in the simultaneous provision of material services to multiple firms".
In practice, the regulator will be able to:
request information directly from critical third parties on the resilience of their material services to firms, or their compliance with applicable requirements;
commission an independent ‘skilled person’ to report on certain aspects of a critical third party’s services;
appoint an investigator to look into potential breaches of requirements under the legislation;
interview a representative of a critical third party and require the production of documents;
enter a critical third party’s premises under warrant as part of an investigation.
Once legislation is in place, the FCA, Bank of England and PRA will be granted a suite of statutory powers, including the power to direct critical third parties from taking or refraining from taking specific actions; and enforcement powers including a power to publicise failings, and to prohibit a critical third party from providing future services, or continuing to provide services to firms.